Cybercriminals Launch New BrasDex Android Trojan Focusing on Brazilian Banking Customers

Dec 20, 2022Ravie LakshmananBanking Malware / Cellular Safety

The risk actors behind the Home windows banking malware referred to as Casbaneiro has been attributed as behind a novel Android trojan known as BrasDex that has been noticed concentrating on Brazilian customers as a part of an ongoing multi-platform marketing campaign.

BrasDex includes a “advanced keylogging system designed to abuse Accessibility Providers to extract credentials particularly from a set of Brazilian focused apps, in addition to a extremely succesful Automated Switch System (ATS) engine,” ThreatFabric said in a report revealed final week.

The Dutch safety agency stated that the command-and-control (C2) infrastructure used at the side of BrasDex can be getting used to regulate Casbaneiro, which is understood to strike banks and cryptocurrency companies in Brazil and Mexico.

The hybrid Android and Home windows malware marketing campaign is estimated to have resulted in 1000’s of infections thus far.

BrasDex, which masquerades as a banking app for Banco Santander, can be emblematic of a brand new pattern that entails abusing Android’s Accessibility APIs to log keystrokes entered by the victims, shifting away from the standard technique of overlay assaults to steal credentials and different private information.

It is also engineered to seize account stability data, subsequently utilizing it to take over contaminated units and provoke fraudulent transactions in a programmatic method.

One other notable facet of BrasDex is its singular deal with the PIX funds platform, which permits banking clients in Brazil to generate income transfers merely utilizing their electronic mail addresses or cellphone numbers.

The ATS system in BrasDex is explicitly designed to abuse PIX know-how to make fraudulent transfers.

This isn’t the primary time the moment cost ecosystem has been focused by dangerous actors. In September 2021, Test Level detailed two Android malware households named PixStealer and MalRhino that tricked customers into transferring their whole account balances to an actor-controlled one.

ThreatFabric’s investigation into BrasDex additionally allowed it to achieve entry to the C2 panel utilized by the prison operators to maintain observe of the contaminated units and retrieve information logs exfiltrated from the Android telephones.

The C2 panel, because it occurs, can be being utilized to maintain tabs on a unique malware marketing campaign which compromises Home windows machines to deploy Casbaneiro, a Delphi-based monetary trojan.

This assault chain employs package deal delivery-themed phishing lures purporting to be from Correios, a state-owned postal service, to dupe recipients into executing the malware following a multi-staged course of.

Casbaneiro’s options run the standard backdoor gamut that enables it to grab management of banking accounts, take screenshots, carry out keylogging, hijack clipboard information, and even operate as a clipper malware to hijack crypto transactions.

“Being unbiased and full-fledged malware households, BrasDex and Casbaneiro type a really harmful pair, permitting the actor behind them to focus on each Android and Home windows customers on a big scale,” ThreatFabric stated.

“The BrasDex case exhibits the need of fraud detection and prevention mechanisms in place on clients units: Fraudulent funds made mechanically with the assistance of ATS engines seem authentic to financial institution backends and fraud scoring engines, as they’re made by way of the identical system that’s normally utilized by clients.”